自签名证书

因nginx上的证书不对，导致ie浏览器即使在导入根证书的情况下还是弹出证书中的域名和请求域名不符的问题，经查是common name需要指定的为域名，如*.test.com。

http://www.haiyun.me/archives/openssl-ca-cert.html

 

mkdir -p /etc/pki/demoCA

2.生成根证书及私钥：

cd /etc/pki/demoCA

mkdir private crl certs newcerts #新建证书存放目录

echo '00' > serial #新建serial文件并写入初始序列号00

touch index.txt #新建index.txt空文件

openssl genrsa -out private/cakey.pem 1024 #生成CA根证书私钥

openssl req -new -x509 -key private/cakey.pem  -out cacert.pem #生成CA根证书

 

3.生成服务器证书私钥、证书，可用于https服务器等。

openssl genrsa -out private/server.key 1024

openssl req -new -key private/server.key -out crl/server.csr #生成证书请求文件，可提供认证CA签核，或自签名。

cd ..

openssl ca -in demoCA/crl/server.csr -out demoCA/certs/server.crt #自签名证书

http://www.rackspace.com/knowledge_center/article/generate-a-csr-with-openssl

DN Field	Explanation	Example
Common Name	The fully qualified domain name for your web server. This must be an exact match.	If you intend to secure the URL https://www.yourdomain.com, then your CSR's common name must be www.yourdomain.com. If you plan on getting a wildcard certificate make sure to prefix your domain with an asterisk, example: *.domain.com.
Organization	The exact legal name of your organization. Do not abbreviate your organization name.	domain.com
Organization Unit	Section of the organization	IT
City or Locality	The city where your organization is legally located.	Wellesley Hills
State or Province	The state or province where your organization is legally located. Can not be abbreviated.	Massachusetts
Country	The two-letter ISO abbreviation for your country.	US